diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index b1599fba5..eeadccdef 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -2,8 +2,8 @@ title: MSHTA Suspicious Execution 01 id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 status: experimental description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism -date: 22/02/2019 -modified: 22/02/2019 +date: 2019/02/22 +modified: 2019/02/22 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) references: - http://blog.sevagas.com/?Hacking-around-HTA-files diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml index 9ac70a658..a2a2546fa 100644 --- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml +++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml @@ -5,7 +5,7 @@ description: Trickbot enumerates domain/network topology and executes certain co references: - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ author: David Burkett -date: 12/28/2019 +date: 2019/12/28 tags: - attack.t1482 logsource: diff --git a/rules/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/windows/process_creation/win_susp_svchost_no_cli.yml index e4829b14d..d635c590a 100644 --- a/rules/windows/process_creation/win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/win_susp_svchost_no_cli.yml @@ -5,7 +5,7 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett -date: 12/28/2019 +date: 2019/12/28 tags: - attack.t1055 logsource: diff --git a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml index 73771eea7..d5e77adb6 100644 --- a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml @@ -6,7 +6,7 @@ description: Detects the access to processes by other suspicious processes which few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental -date: 27/10/2019 +date: 2019/10/27 author: Perez Diego (@darkquassar), oscd.community references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml index 4b40451f6..556b2b6f9 100644 --- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml +++ b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -date: 27/10/2019 +date: 2019/10/27 modified: 2019/11/13 author: Perez Diego (@darkquassar), oscd.community references: diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index bf8515aa6..6f6c9f6b4 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -8,7 +8,7 @@ author: Florian Roth, Markus Neis tags: - attack.persistence - attack.t1060 -date: 2018/25/08 +date: 2018/08/25 modified: 2020/02/26 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml index 8d1519e4b..00d51a6a7 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml @@ -6,7 +6,7 @@ description: Offensive tradecraft is switching away from using APIs like "Create notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental -date: 27/10/2019 +date: 2019/10/27 modified: 2019/11/13 author: Perez Diego (@darkquassar), oscd.community references: